I have some code I’ve written as part of my employment that my employer is offering to the PHP community.
It provides a better view of a certificate’s subjectAlternativeName extension than what openssl_x509_parse() currently does. I’ve implemented it as part of that function, with the data returned as an additional array element in the top level of the array returned by openssl_x509_parse(), but wanted to get feedback if that’s a desirable way to do it, or if it would be better implemented as a separate function, or some other method.
Given this test certificate:
-----BEGIN CERTIFICATE-----
MIIDRzCCAuygAwIBAgIUZEX5XJt4RfpuS7pB+EsLCmLhzF0wCgYIKoZIzj0EAwIw
ezELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh
biBGcmFuY2lzY28xKTARBgNVBAoMCk15IENvbXBhbnkwFAYDVQQLDA1NeSBEZXBh
cnRtZW50MRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0yNTExMDMxOTA4MzNaFw0y
NjExMDMxOTA4MzNaMHsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMSkwEQYDVQQKDApNeSBDb21wYW55MBQG
A1UECwwNTXkgRGVwYXJ0bWVudDEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQ+riFshYe8HnWt1avx6OuNajipU1ZW6BgW0+D/
EtDDSYeQg9ngO8qyo5M6cyh7ORtKZVUy7DP1+W+eocaZC+a6o4IBTDCCAUgwggEl
BgNVHREEggEcMIIBGIILZXhhbXBsZS5jb22CD3d3dy5leGFtcGxlLmNvbYIVc3Vi
ZG9tYWluLmV4YW1wbGUuY29thwTAqAEBhxAmB/DQEAIAUQAAAAAAAAAEgRFhZG1p
bkBleGFtcGxlLmNvbaROMEwxETAPBgNVBAMMCEpvaG4gRG9lMSowDgYDVQQLDAdU
ZXN0aW5nMBgGA1UECgwRRXhhbXBsZSBPcmcsIEluYy4xCzAJBgNVBAYTAlVToCMG
CSqGSIb3DQEJAqAWDBRVSURfdW5zdHJ1Y3R1cmVkTmFtZaAfBgkqhkiG9w0BCRSg
EhYQVUlEX2ZyaWVuZGx5TmFtZYgDKgMEhhtodHRwOi8vZXhhbXBsZS5jb20vcmVz
b3VyY2UwHQYDVR0OBBYEFICesJGN6QyOP89fyTVAmhL28E0NMAoGCCqGSM49BAMC
A0kAMEYCIQCjSoJvFGMCXFiPLtJ3Mi28IoVFzeFr7llRw8bhcuqljAIhAJ3ivtzK
E8LFEngsbiHpfH/CqJ2JPZO74vZ30ZIsdS84
-----END CERTIFICATE-----
Calling openssl_x509_parse() on it would produce this for the extensions:
[extensions] => Array
(
[subjectAltName] => DNS:example.com, DNS:www.example.com, DNS:subdomain.example.com, IP Address:192.168.1.1, IP Address:2607:F0D0:1002:51:0:0:0:4, email:admin@example.com, DirName:CN = John Doe, OU = Testing + O = “Example Org, Inc.”, C = US, othername:, othername:, Registered ID:1.2.3.4, URI:http://example.com/resource
[subjectKeyIdentifier] => 80:9E:B0:91:8D:E9:0C:8E:3F:CF:5F:C9:35:40:9A:12:F6:F0:4D:0D
)
You can see there are some difficulties with trying to use the [subjectAltName] in php.
My modifications (currently) add this entry after [extensions]:
[subjectAlternativeName] => Array
(
[0] => Array
(
[type] => DNS
[value] => example.com
)
[1] => Array
(
[type] => DNS
[value] => http://www.example.com
)
[2] => Array
(
[type] => DNS
[value] => subdomain.example.com
)
[3] => Array
(
[type] => IP Address
[value] => 192.168.1.1
)
[4] => Array
(
[type] => IP Address
[value] => 2607:f0d0:1002:51::4
)
[5] => Array
(
[type] => email
[value] => mailto:admin@example.com
)
[6] => Array
(
[type] => DirName
[value] => Array
(
[2.5.4.3] => John Doe
[2.5.4.11] => Testing
[2.5.4.10] => Example Org, Inc.
[2.5.4.6] => US
)
)
[7] => Array
(
[type] => othername
[value] => Array
(
[1.2.840.113549.1.9.2] => UID_unstructuredName
)
)
[8] => Array
(
[type] => othername
[value] => Array
(
[1.2.840.113549.1.9.20] => UID_friendlyName
)
)
[9] => Array
(
[type] => Registered ID
[value] => 1.2.3.4
)
[10] => Array
(
[type] => URI
[value] => http://example.com/resource
)
)
It could alternatively (no pun intended) be added as a subitem of [extensions] alongside [subjectAltName]. It could even replace [subjectAltName] but that would break code for anyone already looking at that. Or, it could be a completely separate function, e.g. openssl_x509_get_SAN(). That might result in a chunk of duplicated code though, as both functions would then be looping over the extensions to find the SAN and then looping over its contents.
So, I am asking here what you folks think is the right approach for this, and what would be the next steps - is it worth a PHP RFC, or is it a small enough change for just a pull request?
Thanks.
- Steve Wall
···
–
Stephen Wall
Senior Staff Software Engineer
585.924.7550
Research, Engineering, & Development in Communications
One Redcom Center, Victor, NY 14564-0995
(Attachment image001.png is missing)